/bullfrog

Simple plug-and-play Github Action to block unauthorized outbound traffic (egress) in your Github workflows

Primary LanguageGoMIT LicenseMIT

Bullfrog

Increase the security of your Github Actions workflows using Bullfrog! With Bullfrog, you can easily control all your outbound network connections made from within your Github Actions workflows by defining a list of IPs and/or domains that you want to allow.

Not sure what IPs or domains? Simply use the default egress-policy: audit mode to get a list of all outbound network connections, without impacting your existing workflows.

Usage

# This action should be the first step of your job, and should be loaded on every separate job.
# If this action is not loaded first, it will not be able to see or block any requests that occured prior to the action running.
- uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 # v0.8.2
  with:
    # List of IPs to allow outbound connections to.
    # By default, only localhost and IPs required for the essential operations of Github Actions are allowed.
    allowed-ips:

    # List of domains to allow outbound connections to.
    # Wildcards are accepted. For example, if allowing `*.google.com`, this will allow `www.google.com`, `console.cloud.google.com` but not `google.com`.
    # By default, only domains required for essential operations of Github Actions and uploading job summaries are allowed.
    # Refer to https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#communication-requirements-for-github-hosted-runners-and-github for additional domains that should be allowed for additional Github Actions features.
    allowed-domains:

    # Controls the policy for DNS requests when `egress-policy` is set to `block`.
    #
    #  - `allowed-domains-only` (default): Allows DNS requests only for domains specified in `allowed-domains`.
    #  - `any`: Allows any DNS requests.
    #
    # Default: `allowed-domains-only`
    dns-policy:

    # The egress policy to enforce. Valid values are `audit` and `block`.
    # Default: audit
    egress-policy:

    # Enable this option to allow steps to execute commands with sudo.
    # This is useful for workflows that require elevated privileges to perform certain tasks.
    # Options: `true` (default) or `false`.
    enable-sudo:

Scenarios

Default

The default usage will run in audit mode and will not block any request.

- uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 # v0.8.2

Block every outbound connections

- uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 # v0.8.2
  with:
    egress-policy: block

Only allow requests to domains required for pulling a docker image from the docker hub

- uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 # v0.8.2
  with:
    egress-policy: block
    allowed-domains: |
      *.docker.com
      docker.io
      *.docker.io

Only allow requests to a specific IP address without blocking DNS requests

- uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 # v0.8.2
  with:
    egress-policy: block
    allowed-ips: |
      1.2.3.4
    dns-policy: any

Reviewing blocked or unallowed outbound requests

You can view blocked or unallowed outbound requests in the workflow summary. blocked or unallowed outbound requests are available in the workflow summary

Runners compability

This action is currently only supporting Github-hosted runners on Ubuntu (ubuntu-latest, ubuntu-22.04 and ubuntu-24.04).

Support or Feedback

If you need support or have any feedback to share, join us on Slack. And if you find Bullfrog useful, please leave a star ⭐️.

License

The code and documentation in this project are released under the MIT License.